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[57] ABSTRACT 

An apparatus and method are described for supporting a 
plurality of connections between a client computer and a 
network server. The client computer supports a plurality of 
simuhaneously logged on ("active") services. The client 
computer creates a connection for each set of distinct 
credentials suppUed by services logged onto the client 
computer. The client computer includes a redirector for 
maintaining independent control, status and data informa- 
tion for a plurality of independent connections associated 
with the plurality of simultaneously active services having 
distinct sets of credentials. 

29 Claims, 5 Drawing Sheets 
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METHOD AND APPARATUS FOR 
SUPPORTING MULTIPLE, SIMULTANEOUS 

SERVICES OVER MULTIPLE. 
SIMULTANEOUS CONNECTIONS BETWEEN 

A CLIENT AND NETW^ORK SERVER 5 

This is a divisional of application Ser. No. 08/374,814, 
filed on Jan. 19, 1995, now U.S. Pat. No. 5,682,478. 

AREA OF THE INVENTION lo 

The present invention generally relates to an apparatus 
and method for coordinating the requests and responses 
between client computers and server computers in a 
network, and more particularly to the simultaneous mainte- 
nance of a plurality of connections, or virtual circuits, 
between a client computer and a server computer on a 
network. 

BACKGROUND OF THE INVENTION 

20 

The utilization of networks as a means for fulfilling users' 
computing needs has increased quite substantially in recent 
years. Networks, especially those including a central file 
system shared by the networked computers, offer the advan- 
tage over standalone personal computers of providing users 
access to a wide variety of computer resources without 
consuming large quantities of storage space on the personal 
computers* local drives. The storage saving advantage is 
achieved by storing application programs and databases 
within a shared data storage device connected via a network 
to a plurality of client computers. 

In a network environment, a network server is a network 
entity associated with a resource shared by a network. The 
network-server receives requests for the shared network 
resource from network entities referred to as client comput- 
ers. The network server aas upon the requests and issues 
responses to the client computers. 

In the example provided above of a shared data storage 
device connected to a plurality of client computers, a net- 
work file server provides client computers access to the data 40 
on the network file server's shared data storage device by 
receiving requests from the client computers for resources 
provided by the shared data storage device, acting upon the 
requests, and returning a response to the client computers. 

After a client computer transmits a request to a network 45 
server, a response from the network server to the client 
computer's request may be delayed because a requested 
network resource is not currently available. For example, the 
requested resource may be currently allocated solely to 
another client computer in the network, or the network 50 
server may be inoperative and thus unable to respond to any 
client computer requests. Other instances in which a client 
computer may experience substantial wail times in receiving 
a response to a request include client computer requests 
which require a substantial amount of processing in order to 55 
complete. An extended wait time is also incurred for receiv- 
ing a response to a network request when the request must 
be routed through a number of heavily traversed routing 
nodes before reaching its intended network server destina- 
tion. 60 

A feature of personal computer operating systems which 
is gaining popularity as microprocessor speeds and RAM 
memory capacity increases is the ability to run a plurality of 
processes simultaneously by time switching the plurality of 
processes. A personal computer maintains a list of active 65 
processes. Each of the simultaneously active processes is 
executed on the processor for a period of lime until the 
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process is interrupted. Therefore, in a network environment 
having client computers capable of having a plurality of 
simultaneously active processes, a process running on a 
client computer typically relinquishes its claim to the client 
computer's processor after issuing a network request to a 
network server so that other tasks associated with other 
active processes may be performed while the process waits 
for a response to the network request. The processor is then 
claimed by another one of the plurality of processes. 

A "service" is a set of one or more processes treated as a 
single logical entity by a computer system when invoked. 
Examples of services include an interactive user service 
associate with the user interface devices in a system such as 
the display and keyboard, a well known Systems Network 
Architecture (SNA) Host Gateway service; a Standard 
Query Language (SQL) Database service; and an email 
service. These examples are merely illustrative examples 
and many others will be known to those skilled in the art. 

A network redirector on a cUent computer faciUtates 
access by services on a networked computer to other 
machines on a network. The redirector accomplishes this 
function by receiving network requests from processes asso- 
ciated with various services and directing the network 
requests to a proper transport layer (in the context of the OSI 
Network model) network driver. A "connection" is a com- 
munication channel established between two computers for 
supporting a conversation between the two computers for 
which each computer maintains state information. In order 
to transmit network requests from a service on a client 
computer to a destination computer, the redirector estab- 
lishes a connection to the destination computer and main- 
tains information regarding the state of the network requests. 

In the multi-processing environment, more than one of a 
plurality of simultaneously running processes may attempt 
to issue a network request to a same network server via a 
redirector. Therefore, when developing an operating system 
for a network, one must consider a situation where a second 
network request arises in a client computer for which a first 
network request is still pending. 

In accordance with the known NETWARE (Novell, Inc.) 
Core Protocol (NCP), a chent computer and network server 
coordinate network requests from client computer processes 
in a request and acknowledge mode wherein only a single 
outstanding request is allowed on a connection between the 
client computer and a network server. After a client com- 
puter transmits a first request to a network server, the client 
computer withholds issuing a second request to the network 
server on the connection until a response is received from 
the network server for the first request. Thus, the process 
from which the second request arises cannot continue until 
a response is received by the client computer for both the 
second request and the earlier issued first request. 

In a known networked computer system, a redirector, 
while capable of supporting a plurality of simultaneously 
active services, supports only a single connection between a 
client computer and a network server. Furthermore, in the 
known computer system the redirector does not distinguish 
between the various services (which share a single set of 
credentials) when executing network requests in accordance 
with a request from one of the services associated with the 
redirector. In this known system, a server cannot limit access 
to only certain services which pass their requests to the 
server via a single redirector which creates and maintains a 
connection to the server. 

The sharing of a single connection by a plurality of 
services in accordance with the known system limits the 
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performance capabilities of computer systems, such as those 
operating under the NCP, wherein only a single outstanding 
network request is supported. In multiprocessing systems 
operating under NCP, a process issuing a second network 
request on a connection must wait for the system to receive 
a response to a first network request over the connection 
before the second network request can be issued by the 
system over the connection. 

Security systems, when implemented in a network 
environment, are closely associated with network redirec- 
tors. The security systems ensure that data shared on a 
network connection associated with a redireclor is protected 
from unauthorized access, use, or modification. When a 
redirector receives a network request from a logged on 
service, network security systems determine whether the 
network request from the logged on service is allowed. 
Requests for network resources via a connection are coupled 
to identification and authentication information associated 
with a logged on service. The security systems verify that the 
authenticated service is entitled to submit the received 
network request. 

When developing security mechanisms for a network 
operating system in a client computer supporting a plurality 
of services or sessions, one must also consider how to 
implement security measures on the client computer, and in 
particular how to utilize passwords when more than one 
service may currently be active. In a known network security 
system, an access token is constructed from the identifica- 
tion and authentication information supplied by a user while 
logging onto a client computer. The access token identifies 
the authenticated user and privileges allocated to the authen- 
ticated user. However, neither the access token nor a redi- 
rector reading a request specifying the access token links the 
privileges to services from which the requests originate. 

SUMMARY OF THE INVENTION 

It is an object of the present invention to ensure that a 
network request to a network server on a first service does 
not block the transmission of a second network request to a 
same network server submitted by a second, independent 
service running on a multiprocessing computer. 

It is yet another object of the present invention to support 
a number of simultaneously active services on a client 
computer specifically linked to distinct service identification 
and authentication information (credentials). 

The above described and other objects arc fulfilled by a 
new apparatus and method for supporting multiple connec- 
tions between a client computer and a network server. The 
client computer supports a plurality of simultaneously 
logged on ("aaive") services. The client computer creates a 
connection for each set of distinct credentials supplied by 
services logged onto the client computer. The client com- 
puter includes a redirector for maintaining independent 
control, status and data information for a plurality of inde- 
pendent connections associated with the plurality of simul- 
taneously active services having distinct sets of credentials. 

In accordance with an embodiment of the invention, a 
client computer includes a list of logon elements. Each logon 
element corresponds to a logged on service on the client 
computer. The list of logon elements contain the identifica- 
tion and authentication information associated with each 
logged on service. 

In accordance with an embodiment of the invention, each 
independent connection is associated with a logged on 
family of related processes (service) and an identified net- 
work server. Therefore, two different services logged onto a 
same client computer have two independent connections. 
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In accordance with an embodiment of the invention, the 
control, status and data information associated with the 
independent connections includes server control blocks. 
Each server control block corresponds to a connection for a 
5 logged on service. As additional connections are created for 
logged on services on the client computer, the redirector 
creates additional server control blocks corresponding to the 
connections. If a logged on service is connected to a 
plurality of servers, separate server control blocks are main- 
taincd by the redirector for each connection. 

The present invention improves the performance of a 
client computer capable of running a plurality of simulta- 
neously active processes which submit network requests to 
a same network server in accordance with the single out- 
standing request rule of NCR Furthermore, providing a 
plurality of connections between the client computer and 
network server facilitates logically linking a connection to a 
specific logged on service. 

BRIEF DESCRIPTION OF THE DRAWINGS 
20 The appended claims set forth the features of the present 
invention with particularity. The invention, together with its 
objects and advantages, may be best understood from the 
following detailed description taken in conjunction with the 
accompanying drawings of which: 
25 FIG. 1 is a schematic diagram of a prior art network 
connection scheme between a client computer and a network 
server computer wherein a single redirector supports a single 
transport layer connection between the client computer 
having a plurality of logged on services and the network 
server, 

FIG. 2 is a diagram of a network connection scheme 
between a client computer and a network server computer 
wherein the redirector supports a plurality of connections 
between the client computer and network server in accor- 
dance with an embodiment of the present invention; 

FIG. 3 is a schematic depiction of a logon list element 
comprising logon data for an authenticated service on a 
client computer; 

FIG. 4 is a schematic depiction of a server control block 
(SCB) comprising identification information for an authen- 
ticated service and behavior specifications for the identified 
authenticated service; 

FIG. 5 is a schematic depiction of a file control block 
(FCB) comprising information relating to a specified file for 
45 an authenticated service; 

FIG. 6 is a schematic depiction of an instance control 
block (ICB) comprising information relating to a part of a 
specified file currently accessed by an authenticated service; 

FIG. 7 is a schematic depiction of a logon list comprising 
50 three logon list elements corresponding to the three logged 
on services depicted in FIG. 2; 

FIG. 8 is a schematic depiction of an illustrative arrange- 
ment of the SCB, FCB and ICB components for a redirector 
for maintaining connection state information in accordance 
55 with the connection scheme depicted in FIG, 2; 

FIG. 9 is a flow chart summarizing the steps performed by 
a client computer in building and maintaining a list of logon 
list elements of the type illustrated in FIG. 8 corresponding 
to service logged onto a client computer; and 
^0 FIG. 10 is a flow chart summarizing the steps performed 
by a redirector of a client computer in building and main- 
taining a plurality of connections between a client computer 
and a network server. 

g5 DETAILED DESCRIPTION OF THE DRAWINGS 
Turning now to FIG. 1, a known network redirector 
connection arrangement for a client and server is schemati- 
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cally depicted. In the prior art example, a client computer 2 
comprises a redirector 4 supporting a connection 6 to a 
Network Server 8 via a transport driver (TD) 10. 
Furthermore, the client 2 provides security mechanisms for 
authenticating users when users attempt to access the 
resources provided by a Service A 12, a Service B 14 or a 
Service C 16. 

A connection 6 is created in response to a network request 
by the Service A 12, Service B 14, or Service C 16. 
Alternatively, the connection 6 is established in response to 
one of the Services 12, 14 or 16 supplying explicit creden- 
tials to the Network Server 8 via the redirector The con- 
nection 6 comprises a collection of transport layer (in the 
OSI network model) processes which represent the client 
computer 2 and its set of logged on services 12, 14 and 16. 

[n the known networked client computer 2 illustratively 
depicted in FIG. 1, the services share a single set of 
credentials which are provided to the redirector 4 when any 
one of the services 12, 14 or 16 logs onto the client computer 
2. After one of the three services (Service A 12, Service B 
14, or Service C 16) logs onto the client computer 2 and the 
redirector establishes a connection with the network server 
8, all three services share a single set of credentials when 
directing requests to the Network Server 8. However, in this 
known redirector scheme a network administrator cannot 
designate access to the Network Server 8 through specific 
ones of the services associated with the redirector 4. Since 
the Network Server 8 cannot identify a service from which 
a network request originated, if one service associated with 
the redirector 4 may access the Network Server 8, all of the 
logged on services associated with the redirector 4 may 
submit requests to the Network Server 8. 

An additional drawback of the prior art redirector illus- 
trated in FIG. 1 which supports a single connection between 
the client computer 2 and Network Server 8 is the limitation 
on throughput resulting from the absence of a plurality of 
connections between the client computer 2 and Network 
Server 8. The known redirector 4 utilizes the NCR The NCP 
supports a single outstanding networic request between a 
server and chent on a connection. Therefore, if a first 
network request is submitted via Service A 12, control 
switches to the Service B 14, and service B 14 submits a 
second network request prior to the redireaor 4 receiving a 
response to the first network request; then the second 
network request is blocked and will not be transmitted by the 
redirector 4 (via the single connection 6) until the response 
to the first network request is received by the redirector 4. 

In summary of the above, the known redirector 4 sche- 
matically illustrated in FIG. 1 does not (1) distinguish 
between services associated with the redirector 4 
credentials, or (2) allow multiple outstanding network 
requests from separate services on a single client computer. 

Turning now to FIG. 2, a network redirector connection 
arrangement embodying the present invention is schemati- 
cally depicted. In the illustrative embodiment depicted in 
FIG. 2, a client computer 20 operating system includes a 
program manager supporting a plurality of services (Service 
A 34, Service B 36, and Service C 38). The client computer 
20 comprises a multi-connection redirector 22 supporting a 
plurality of connections 24, 26 and 28 to a Network Server 
30 via a transport driver (TD) 32. Furthermore, the client 20 
provides known security mechanisms for authenticating 
credentials when the Service A 34, the Service B 36 or the 
Service C 38 attempts to communicate a request for the 
resources associated with the Network Server 30 via the 
connections 24, 26 or 28. 
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The connections 24, 26 and 28 are independently estab- 
lished between the client computer 20 and the network 
server 30. Connection 24 is established when the Service A 
34 issues a request to the Network Server 30, connection 26 
is established when the Service B 36 issues a request to the 
Network Server 30, and connection 28 is estabhshed when 
the Service C 38 issues a request to the Network Server 30. 
Each connection between the client computer 20 and net- 
work server 30 is associated with a separate set of creden- 
tials associated with a logged on service. In an alternative 
embodiment of the invention, more than one service may be 
associated with a connection. However, the redirector 22 
supports a plurality of connections, and less than all of the 
services are associated with a single connection (i.e., at least 
one service is associated with a second connection main- 
tained by the redirector 22 with the Network Server 30). The 
separate and independent logging on of each service enables 
a server to distinguish between requests of various services 
associated with different connections. This in turn allows the 
system administrator to selectively limit access by a server 
to only certain services on a cUent computer with which a 
connection to a network server is associated. In the illustra- 
tive embodiment of the invention, the credentials for a 
service comprise a usemame and a password supplied by a 
service when a service logs onto the client computer 20. A 
service's credentials may be entered by a user via a key- 
board. However, other forms of credential allocation 
schemes, including a magnetically encoded identification 
and personal identification number, would be known to 
those skilled in the art of computer security schemes. 

Furthermore, since the redirector 22 maintains separate 
connections 24, 26, and 28 for the Service A 34, the Service 
B 36, and the Service C 38 to a network server 30, the 
blocking problem (described above) associated with the 
prior art redirector scheme of FIG. 1 is avoided with respect 
to the separately connected services. In the illustrative 
embodiment of the invention, the client 20 may transmit a 
first request from Service A 34 and then transmit a second 
request on Service B 36 (or Service C 38) prior to receiving 
a response to the first request without violating the "one 
outstanding request per connection" limitation associated 
with the NCP since the first and second requests are asso- 
ciated with distinct connections. 

Having generally described an embodiment of the 
invention, attention is now directed to individual compo- 
nents of the client computer 20, and in particular the 
redirector 22, that facilitate the creation and maintenance by 
the client computer 20 of multiple, connections between a 
client computer and network server associated with specified 
services. Turning now to FIG, 3, the redirector 22 creates a 
logon list element for each logged on service. Each logon list 
element specifies a Local Unique Identification (LUID) 40 
assigned by the security system (not shown) of the client 
computer 20 identifying an authenticated service to the 
redirector 22. In an alternative embodiment of the invention, 
the LUID may be associated with a plurality of services 
which will share a single connection to a network server. 

Each logon list element also specifies a user name 42 
provided by a service while logging onto the client computer 
20. The illustrated logon list element also includes a pass- 
word 44 associated with the username 42. Together, the 
usemame 42 and the password 44 comprise the set of 
credentials utilized by a network security system for creating 
an access token for a logged on service from a policy 
database defining privileges and limitations associated with 
sets of credentials. The usemame 42 is included in network 
requests during connection creation and is used directly by 
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the Network Server 30 to determine whether a request is 
authorized. The LUID 40, username 42, and password 44 are 
provided by the security system to the redirector 22 after the 
security system verifies a service's credentials. 

The manner in which the username and password infer- 5 
mation are provided is a design consideration. For example, 
the interactive user service usually obtains the credentials 
from a user via the user interface of the client computer 20. 
Other services obtain the credentials used by the services 
during logon through pre-storcd lists of credentials main- 
tained by a network administrator. Other suitable methods 
for obtaining credentials to be used by a service during logon 
will be known by those skilled in the art. 

In the illustrative embodiment of the invention, the logon 
list elements are maintained in a linked list of records. Each ^ 
logon list element includes a Pointer To Next Logon Ele- 
ment 46 providing a link to a next logon list element. Other 
suitable alternative data structures for maintaining a list of 
service credentials would be known to those skilled in the 
art. Such alternative data structures include, for example, an ^ 
array of records. 

Turning now to FIGS. 4-^, the redirector 22 for the client 
computer 20 maintains data, status and control information 
for a plurality of network connections between the client 
computer 20 and the network server 30. It is noted that the 
contents of the redirector components illustrated in FIGS. 4, 
5 and 6 described below are illustrative. Other suitable 
components for maintaining a plurality of connections 
between the client computer 20 and the Network Server 30 
will be known to those skilled in the art in view of the 
illustrative embodiment of FIGS. 4, 5 and 6 and the detailed 
description below. 

Turning to FIG. 4, a Server Control Block includes data, 
status and control information for a specified connection 35 
supported by the redirector 22. The redirector 22 creates and 
maintains a Server Control Block for each separate connec- 
tion (identified by an LUID and network server 
identification). In the illustrated embodiment of the 
invention, each connection corresponds to a specific logged ^ 
on service. Each Server Control Block includes an LUID 50 
specifying a unique identifier for a logged on service asso- 
ciated with the Server Cbntrol Block. Each Server Control 
Block also includes a server identification 52 specifying a 
unique identification for a connected network server. 45 
Together, the LUID 50 and server identification 52 specify 
a unique connection to be used by processes running on a 
service and a particular network server. 

Each Server Control Block also includes status and con- 
trol information for maintaining a conversation with the 50 
specified network server. A sequence number 54 specifies a 
value which is to be assigned by the redirector 22 to the next 
packet of information transmitted on the specified connec- 
tion. A time out value 56 specifies a minimum period of time 
the redirector 22 will wait before retransmitting a network 55 
request to the server 30. A maximum packet size 58 specifies 
the number of bytes of data which may be included in a data 
packet transmitted via the specified connection. 

Each connection is allocated a set of IPX sockets. 
Accordingly, each Server Control Block in the illustrative 60 
embodiment of the present invention includes a set of 
handles to IPX sockets 60. IPX is a well known transport 
level (in the ISO model) protocol. The set of handles to IPX 
sockets 60 identify processes residing within the client 
computer 20, and the set of handles to IPX sockets 60 act as 65 
receiving and transmitting points for communications 
between the redirector and a network server 30 on a network 
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connection. The set of handles to IPX sockets 60, provided 
initially by the transport driver 32, enable the transport 
driver 32 to associate transmission requests and responses 
from the network server 30 with a connection. 

Each Server Control Block includes a username 62 and a 
password 64. If a service supplies explicit (network server 
specific) credentials when an initial network request is made 
by the service (resulting in the creation of a connection by 
the redirector 22 and the Network Server 30), then these 
values are stored in the username 62 and password 64. 
Otherwise the username 62 and password 64 are filled by 
accessing the username 42 and password 44 comprising the 
authenticated credentials of the service associated with the 
connection. Each Server Control Block also includes a 
Pointer To File Control Blocks 66 associated with the Server 
Control Bk)ck. The contents of the File Control Blocks are 
described in detail below in conjunction with a detailed 
description of FIG. 5. 

Each Server Control Block also includes a Pointer To 
Next Server Control Block 68. The Pointer To Next Server 
Control Block 68 specifies a link to a next Server Control 
Block for an authenticated service having a same specified 
LUID, but specifying a different network server. The begin- 
ning addresses for Server Control Blocks for services not 
having a same LUID are maintained in a list of pointers (not 
shown). Other suitable alternative data structures for main- 
taining a set of Server Control Blocks would be known to 
those skilled in the art. Such alternative data structures 
include, for example, pointers to Server Control blocks 
arranged as a two dimensional array of records specified 
primarily by LUID and secondarily by network server. 

Turning to FIG. 5, the status and control information for 
a connection supported by the redirector 22 comprises a File 
Control Block containing information relating to a specified 
file associated with an authenticated server process and 
service identified in a Server Control Block to which the File 
Control Block is linked. The File Control Block includes an 
LUID 70 specifying a unique identifier for a logged on 
service associated with the File Control Block. The File 
Control Block also includes a Server Identification 72 speci- 
fying a unique identification for a connected network server. 
The File Path\Name 74 specifies a file name and a directory 
path on the connected network server identified by the 
Server ID 72. The File Control Block also includes File Data 
76 containing a portion of the file specified by the File 
PathVName 74 in the connected network server. Each File 
Control Block also includes a Pointer To Instance Control 
Blocks 78 associated with the File Control Block. The 
contents of the Instance Control Blocks arc described in 
detail below in conjunction with a detailed description of 
FIG. 6. 

Each File Control Block also includes a Pointer To Next 
File Control Block 80. The Pointer To Next File Control 
Block 80 specifies a link to a File Control Block associated 
with a same specified Server Control Block. Thus, when a 
service accesses a plurality of files through a same 
connection, the redirector 22 maintains portions of the files 
in separate, linked File Control Blocks. The maintenance of 
a plurality of File Control Blocks for a same connection 
reduces the instances when it is necessary for the redirector 
22 to request a file from a connected network server when 
a service is accessing a plurality of files in an interleaved 
manner since the file data is maintained even when the 
service accesses another file provided by a connected net- 
work server. 

While the illustrative embodiment of the invention links 
related File Control Block records by means of pointers 
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contained in the Pointer To Next File Control Block 80, the client computer 20. A logon list element 90 having a 

other smtable alternative data structures for maintaining a useraame JaneSmith, a password "11111", and an LUID 

set of FUe Control Blocks would be known to those skilled "451" (provided to the redirector 22 by the security system 

in the art. Such alternative data structures include, for for the client computer 20 when a service successfully logs 
example, pointers to File Control Blocks arranged in an 5 onto the client computer 20) is located at the head of the 

array of records specifying the beginning addresses of File logon list. The logon list element 90 is associated with the 

Control Blocks associated with a specified Server Control Service A 34 (an interactive user service). All processes 

Block. created by the Service A 34 will have the same LUID. The 

Each File Control Block also includes a Pointer To Parent Pointer to Next Logon 92 for the logon list element 90 
Server Control Block 82. The Pointer To Parent Server lo comprises the address of a second logon list element 94. 

Control Block 82 contains the starting address of the Server The second logon list clement 94 is associated with the 

Control Block with which the File Control Block is associ- Service B 36 (an SNA service). The security system has 

ated. This pointer enables the redirector to quickly return to assigned an LUID "452" to the second logon list element 94. 

a Server Control Block from the File Control Block. The second logon list element 94 is associated with a 

TXiming to FIG. 6, the status and control information for usemame HostGateway having a password "22222". Thus, 

a connection supported by the redirector 22 comprises an Service A 34 and Service B 36 possess separate and distinct 

Instance Control Block having an Applicauon Handle 84. logon identities (LUID's). The Pointer to Next Logon 96 for 

The Application Handle 84 uniquely identifies a process the second logon list element 94 comprises an address of a 

running within a service that caused the file identified in an third logon list element 98. 

associated File Control Block to be retrieved from the ^'^ The third logon list element 98 is associated with the 

Network Server 30. The Application Handle 84 enables the Service C 38 (an email service). The security system has 

redirector 22 to distinguish between multiple uses of a same assigned an LUID "453" to the third logon list element 98. 

file by one or more processes running under a service The third logon list element 98 is associated with a useraame 

associated with a specified connection. "mailserver*' having a password "33333". The Pointer to 

Each Instance Control Block also includes a FOe Pointer Next Logon 99 for the logon list element 98 comprises a NIL 

86 specifying a current location in the currently accessed address. The NIL address indicates to the redirector 22 or 

File currently accessed by the process specified in the any other process reading the list that the third logon list 

Application Handle 84. The Instance Control Block also element 98 is presently the final logon list element for the 

includes a Pointer To Next Instance Control Block 88. The client computer 20. Alternative appropriate end-of-list iden- 

Pointer To Next Instance Control Block 88 specifies an tifiers would be known to those skilled in the art. 

address for a next Instance Control Block associated with a Finally, it is noted with respect to FIG. 7, that the linked 

same File Control Block. list of logon list elements is merely an illustrative example. 

While the illustrative embodiment of the invention links Other suitable data strucnires for maintaining a list of logon 
related Instance Control Block records by means of pointers 35 list elements will be known to those skilled in the art. For 

contained in the Pointer To Next Instance Control Block 88, example, an array data strucmre may alteraatively be used 

other suitable alternative data strucmres for maintaining a having a specified maximum number of concurrent logged 

set of Instance ConU-ol Blocks would be known to those on services provided by the client computer 20. 

skilled in the art. Such alternative data stmctures include, for Furthermore, it will be understood by those of ordinary skill 

example, pointers to Instance Control Blocks arranged in an in the art that alternative multiple connection chent com- 

array of records specifying the beginning addresses of puters may not include security systems or require a user lo 

Instance Control Blocks associated with a specified File logon (provide a username) to a service connected to a 

Control Block. network server. Such systems would likely not include the 

The Instance Control Block also includes a Pointer To same information in their logon list elements as the logon list 
Parent File Control Block 89. The Pointer To Parent File 45 elements described above. However, the fist would mclude 

Control Block contains the starting address of the File an identifier for a service (or group of services) associated 

Control Block with which the Instance Control Block is with a same connection when the service (or one of the 

associated. This pointer enables the redirector 22 to quickly group of services) makes a network request to a network 

return to a File Control Block from the Instance Control server. 

Block. 50 Turning now to FI G . 8, an illustrative example is provided 

Having described the individual building blocks for the of the Server Control Blocks, File Control Blocks, arid 

data, status and control information associated with the Instance Control Blocks maintained by the redirector 22 in 

redirector 22 in the illustrative embodiment of the present accordance with the present state of each of the services 34, 

invention, attention is now directed to FIGS. 7 and 8 36 and 38 to network servers NW312 and NW401 (not 
comprising a schematic Ulustrationofthe information stored 55 shown). A first linked list of server control blocks 100 

in the redirector 22. It should be understood that the con- associated with the Service A 34 includes a Server Control 

figuration of the data, status and control information asso- Block 102. The Server Control Block 102 is associated with 

ciated with the redirector is dynamic and changes as services the connection 24 identified by an LUID "451" and a 

log onto the client computer 20, request resources from a network server "NW312". The Server Control Block 102 
network server such as the Network Server 30 (resulting in 60 contains status information for the connection 24 associated 

the creation of a connection), access files via the network with the Service A 34, The Pointer To File Control Blocks 

connection and log off the cHent computer 20. 103 of the Server Control Block 102 points to a File Control 

Turning now to FIG. 7, an iUustrative example of a Unked Block 104 associated with a file on the Network Server 30 

list of logon elements maintained by the redirector 22 is specified by the path and file name "\sys\foo.txt". 
schematically depicted. The logon list in HG. 7 comprises 65 The Pointer To Instance Control Blocks 105 of the File 

three logon list elements associated with the separate and Control Block 104 points to an Instance Control Block 106 

independent Service A34, Service B 36 and Service C 38 on specifying the position in the file "foo.txt" of the Network 
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Server 30 previously accessed by the Service A 34 via the A third linked list of server control blocks 130, associated 
connection 24. Since only a single Instance Control Block is with the Service C 38, includes a Server Control Block 132. 
associated with the File. Control Block 104, the Pointer to The Server Control Block 132 is associated with the con- 
Next Instance Control Block equals NIL for the Instance nection 28 identified by an LUID "453" and a network 
Control Block 106. The NIL value indicates the end of the 5 server "NW312". The Server Control Block 132 contains 
Instance Control Blocks associated with the File Control status information for the connection 28 associated with the 
Block 104. Though not shown in FIG. 8, the last Instance Service C 38. The Pointer To File Control Blocks 133 for the 
Control Block in each linked list of Instance Control Blocks Server Control Block 132 points to a File Control Block 134 
associated with a specified file includes a NIL value for its associated with a file on the Network Server 30 specified by 
Pointer To Next Instance Control Block. the path and file name "\sys\com.fir*. The Pointer To 
A Pointer To Next FQe Control Block 107 of the File Instance Control Blocks 135 of the File Control Block 134 
Control Block 104 points to a File Control Block 108 points to an Instance Control Block 136 specifying the 
associated with a file on the Network Server 30 specified by position in the file "^sys\com.fil" of the Network Server 30 
the path and file name "\sysVnew.txt". The Pointer To previously accessed by the Service C 38 via the connection 
Instance Control Blocks 109 for the File Control Block 108 28. 

points to an Instance Control Block 110 specifying a first ^ closing, with respect to FIG. 8, it is noted that the 
location in the file "\sys\new.texf ' previously accessed by configuration of the data, status and control information for 
the Service A 34 via the connecUon 24. A Pointer lb Next separate and independent connections supported by the 
Instance Control Block 111 points to an Instance Control ^edirector 22 is iUustrative and other suitable organization 
Block 112 specifying a second location in the file maintaining the data, status and control infor- 
"N3ys\new.lxt- APo^^^^ ^^^7^1^°°^^°^^^^^^^^ '° mation for the plurality of connections in accordance with 
File Control Block 108 equals NIL: The NIL value indicates ^ ^ t« t*,^^^ ov^n^^ ir. tu^ ^rt 
the end of the File Control Blocks associated with the Server present invention wiU be known to those skilled in the art 
Control Block 102. Though not shown in FIG. 8, the last File ^ view of the illustraUve embodunent. Though anays of 
Control Block associated with a specified Server Control records are less flexible than Unked lists of records in terms 
Block includes a NIL value for its Pointer To Next File 25 ^^^^S ^ ^^^^ ^"^^^ ^**^ suitable alternatives when sized 
Control Block. appropriately to cover foreseeable operating conditions in 
Though not shown in FIG. 2, the Service A 34 is con- terms of: the number of logged on services, the number of 
nected to a network server identified as "NW401" via a connections to network servers, the number of files accessed 
connection separate and distinct from the connection 24 to concurrently on a single connection, and the number of 
the Network Server 30. A Pointer To Next Server Control 30 points accessed within the accessed files. 
Block 113 points to a Server Control Block 114 associated Having described the components of the redirector 22 
with the connection identified by the LUID "451" and the facilitating the maintenance of a plurality of connections 
network server "NW401". The Pointer To File Control between a client 20 and a network server, attention is now 
Blocks 115 for the Server Control Block 114 points to a File directed to the processes and procedures executed by the 
Control Block 116 associated with a file on the network ^.^^^ computer 20 to establish and maintain a plurality of 
server identified as "NW401" specified by the path and file connections between the cUent computer 20 and the Net- 
name "\sys\dbase.txt*'. The Pomter To Instance Control workServer30bymeansof the redirector 22, and to execute 
Blocks 117 of the File Control Block 116 points to an ^^^^^^^ ^^^^ ^ ^^^^ ^ ^^^^^ associated 
Instance Control Block 118 specifymg a position m the file . , , ^^n„^^Hnn« 
"\sys\dbase.txr of the Network Server 30 previously wi h the connections. 

accessed by the Service A 34 (interactive user service) via ^ 1° t^e illustrative embodiment of the mvenUon^he redi- 

the connection to the NW401 server. Since the Server rector 22 is incorporated into a secure network Therefore, 

Control Block 114 is the last Server Control Block associ- pnor to establishing a connection to the network server 30, 

ated with the Service A 34, the Pointer To Next Server a service must log on the cUent computer 20 and provide 

Control Block for the Server Control Block 114 equals NIL. identification and authentication information to a network 

Though not shown in FIG. 8, the last Server Control Block 45 security system. After the security system determines the 

associated with each linked list of Server Control Blocks privileges and limits of the authenticated service, the secu- 

includes a NIL value for its Pointer To Next Server Control rity system provides a message to the redirector 22 conuin- 

Block. ing an LUID, useraame and password for the authenticated 

A second linked list of server control blocks 120, asso- service. The redirector 22 uses this information to build a 

ciated with the Service B 36, includes a Server Control so logon list element for the authenticated service. Thereafter, 

Block 122. The Server Control Block 122 is associated with in response to a first network request from the service, a 

the connection 26 identified by an LUID "452" and a connection associated specifically with the authenticated 

network server "NW312". The Server Control Block 122 service is established between the client computer 20 and the 

contains status information for the connection 26 associated network server 30. Though a detailed description of the 

with the Service B 36. The Pointer To File Control Blocks 55 logon process follows, additional description of the logon 

123 for the Server Control Block 122 points to a File Control process and the security system is provided by Inside 

Block 124 associated with a file on the Network Server 30 Windows NT, by Helen Custer, © 1993 Microsoft Press 

specified by the path and file name "\apps\word\doc.txt^'. which is incorporated by reference. 

The Pointer To Instance Control Blocks 125 of the File Turning to FIG. 9, the steps are summarized for logging 

Control Block 124 points to an Instance Control Block 126 60 a service onto the client computer 20 and establishing a 

specifying a position in the file "\apps\word\doc.txt" of the connection associated specifically with the LUID for the 

Network Server 30 previously accessed by the Service B 36 logged on service and the network server 30 by means of the 

via the connection 26. A Pointer To Next Instance Control redirector 22. It is noted that in accordance with the illus- 

Block 127 points to an Instance Control Block 128 speci- trative embodiment of the present invention, a specified 

fying a second location in the file "\apps\word\doc.txt" 65 service logs onto a client computer. Therefore, when a 

previously accessed by the Service B 36 via the connection service logs onto the client computer 20 for which a logon 

26. list element does not currently exist, the service must 
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provide identification and auihenlication information for the control passes to step 206. Typical instances where an 

new service in accordance with the steps summarized in instance control block is not provided in an IRP include 

FIG, 9. This identification and authentication information is when a process associated with the logged on service issues 

added to a linked list of logon list elements corresponding to a network create file request, or when a drive or printer is 
logged on services on the client computer 20. (See FIG. 7). 5 redirected by a process running on one of the logged on 

In response to a service initiating a logon process for a services to a network volume or print queue. At step 206, the 

service on the chent computer 20. the service provides a redirector 22 reviews the server control blocks to determine 

usemame and password to the security system. After the whether a connection exists between the service which 

service provides the identification and authentication infer- issued the IRP and the identified server. If no connection 
mation to the security system, control passes to step 152. lo currenUy exists (i.e., no server control block exists with the 

At step 152, a security system verifies the identification ^^''^^ LUID and server ID for the specified connection), 
and authentication information. Verification is accomplished "'"^^^l ^^^P 

by querying a Security Accounts Manager (SAM) database. At step 208, the rcdu-ector 22 establishes a connection 

The SAM database contains a listing of all authorized with the identified network server. In order to establish a 

service usernames, the passwords associated with the connection to an identified network server, the redirector 22: 

usemames, and the privileges and limitations assigned to the (1) establishes a connection to a nearest server with which 

authorized services. After the identification and autheatica- a connection may be established, queries the connected 

tion information is verified by the security system of the server for the address of the server to which the networic 

client computer 20, conu-ol passes to step 154. request by the process is directed, (2) connects to the server, 

Next, at step 154, if the service's credentials (i.e., iden- (3) logs into the server (may use the credent^^^ 

tification and authentication information) are not located in hst element), and (4) exchanges control infonnationv^^^ 

the SAM database, then access is denied to the service and server m order to imtiate a connection b^^ 

control passes to an End step 162. If. however, at step 154. 22 and the comiected network server. The connection pro- 

the serx^ce's credentials are located in the SAM database. <^^<^^'^ ^^^j^?^" sequence is well known to those skilled in 
then control passes to step 156 and the security system ^rt and is summarized '^^^^'^^^^r''^^^^^ 

constructs an access token representing the privHeges and ^^^^e, by Charles Rose pp. 292-300 (isbn 0-07-^ 

Umits associated with the authenticated service. Next, at step 8)- Th^ 22 creates a new server control block for 

158. an access token handle (also referred to as an LUID) ^he new connecUon. Control then passes to step 212 

associated with the access token is passed by the security (descnbed below). 

system (along with the credentials of the authenticated If, at step 206, a server control block does exist (i.e., a 

service) to the redirector 22 of client computer 20. The connection currently exists for the service from which the 

access token handle accompanies all network requests origi- IRP was issued between the redirector 22 and the network 

nating from the logged on service and enables the redirector server 30), then control passes directly from step 206 to step 

22 to identify the connection with which the network request 210. 

is associated. At step 210 the redirector 22 examines the path and file 

At step 160, the redirector 22 constructs a logon list names associated with File Control Blocks linked to the 

element (See FIG. 3) and adds the logon list element to the Server Control Block identified by the redirector 22 during 

end of the linked list of logon elements (See FIG. 7). After step 206 and determines whether one of the File Control 

the redirector 22 creates a logon list element for the authen- Blocks corresponds to the path and file specified m the IRP. 

ticated service and adds the logon list element to the logon If at step 210 the redirector 22 determines that there is no 

list element list (See FIG. 7), control passes to the End step File Control Block corresponding to the file specified in the 

162, and processes running under the logged on service are IRP. then control passes to step 212. 
now capable of submitting requests to the network server 30 At step 212, the redirector 22 communicates with the 
via the redirector 22. ^5 network server to perform the indicated command on the 

Having described the steps of an illustrative service logon file, and the redirector 22 builds a new File Control Block 

procedure, attention is now directed to FIG. 10 summarizing corresponding to the path and file name specified m the IRR 

the steps for servicing a network request. When an I/O The redirector 22 opens a handle to a designated volume (if 

manager on the client computer 20 receives a network I/O necessary) and creates or opens a designated file m a manner 
request from a process on a service provided by the client 50 known to those skilled in the art. Control then passes to step 

computer, control passes to step 200. At step 200 the I/O 214. If during step 210 the redirector 22 determines that a 

manager creates an I/O Request Packet (IRP). calls a dis- corresponding File Control Block does exist, then control 

patch routine in the redirector 22 and passes the IRP to the passes directly to step 214. 

redirector 22. Control passes to step 202. At step 214 the redirector 22 builds a new Instance 

At step 202. the redirector 22 determines whether the IRP 55 Control Block and inserts an application handle to enable a 

contains a network request identifying an instance control process responsible for issuing the IRP to subsequently 

block for an existing file. If the IRP identifies an instance access the particular instance of the accessed file (since a 

control block, then control passes to step 204. At step 204 same process on a service may access several different 

the redirector 22 forwards the request to the network server points in a single file). Control then passes to step 216. 
30 via an established connection. The request packet from 60 At step 216, the File Pointer field of the corresponding 

the redirector contains a connection number, a sequence Instance Control Block is updated in accordance with any 

number, process ID, file handle, a file pointer, and an amount actions specified in the IRP Control then passes to the End 

of data to be read (if read). After the network request is step 218. 

serviced by the network server 30, control passes to step 216 An illustrative embodiment of the present invention as 
(described below). 65 well as examples of various exemplary alterations to the 

If however, at step 202, the IRP does not specify an illustrative embodiment have been described above. It 

instance control block associated with an existing file, then would be known to one of ordinary skill in the area of 
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network hardware and software architecture to make certain 
naodifications to the embodiments described above. Such 
modifications include alterations to the specific contents of 
components of the redirector 22 in accordance with alter- 
native authentication and security measures. Other modifi- 
cations within the scope of the present invention include 
alterations to the status and control components of the 
control blocks which define the characteristics of the plu- 
rality of connections supported by the redirector. It is 
therefore the intent of the inventors to claim all alternative 
embodiments that do not depart from the scope and spirit of 
the invention described in the appended claims. 
What is claimed is: 

1. A client computer simultaneously supporting two or 
more networked services comprising: 

a network interface for connecting the client computer to 
a network server over communications facilities; and 

a redirector simultaneously supporting two or more con- 
nections over the communications facilities between 
the client computer and the network server, at least two 
of the connections each having a separate network 
credential and supporting at least two networked ser- 
vices, 

2. The client computer of claim 1, wherein the redirector 
comprises a mechanism for maintaining information for the 
simultaneous connections. 

3. The client computer of claim 2 wherein the mechanism 
for maintaining information includes a connection status 
database for storing independent control information blocks, 
the independent control information blocks comprising 
server control blocks, and each server control block corre- 
sponds to one of the simultaneous connections. 

4. The client computer of claim 3, wherein the indepen- 
dent control information blocks further comprise file control 
blocks linked to the server control blocks, wherein each file 
control block specifies a file accessed through one of the 
simultaneous connections corresponding to one of the linked 
server control blocks. 

5. The client computer of claim 4, wherein the client 
computer, prior to adding a second connection, determines 
that the second connection does not already exist between 
the client computer and a network server, and in response, 
adds the second connection without removing one of the at 
least two connections. 

6. The client computer of claim 5, wherein the client 
computer, in determining that the second connection does 
not ah-eady exist, searches the connection status database for 
an entry corresponding to the networked service with the 
associated network server. 

7. The client computer of claim 5, wherein a first of the 
at least two connections is assigned a first set of sockets for 
a first connection, and a second of the at least two connec- 
tions is assigned a second set of sockets for a second 
connection. 

8. The client computer of claim 1, further comprising a set 
of sockets for each one of the simultaneous connections. 

9. The client computer of claim 1, wherein the network 
credentials associated with one of the simultaneous connec- 
tions comprise a logon name and password supplied by one 
of the networked services. 

10. The client computer of claim 1, further comprising a 
security system for receiving the network credentials from at 
least two of the networked services and assigning a unique 
identifier to each of these networked services in association 
with a logon procedure. 

11 . The client computer of claim 1, further comprising a 
security system for receiving the network credential from 
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one of the networked services and assigning a unique 
identifier to the corresponding connection in association 
with a logon procedure. 

12. The client computer of claim 1, wherein at least two 
5 of the simultaneous connections between the client com- 
puter and the network server are made using Netware Core 
Protocol (NCP). 

13. The client computer of claim 1, wherein one of the 
networked services is remote file sharing. 

10 14. The computer network of claim 13 wherein the 
network server is a file sharing server. 

15. The computer network of claim 14 wherein the 
network server is a Netware Core Protocol (NCP) file 
sharing server. 

15 16. The client computer of claim 1, wherein the network 
redirector further comprises: a logon element list comprising 
logon elements corresponding to logged on services; and a 
mechanism for maintaining control information for the at 
least two of the connections. 

20 17. The client computer of claim 16, wherein the mecha- 
nism for maintaining control information includes a con- 
nection status database for storing independent control infor- 
mation blocks, the independent control information blocks 
comprising server control blocks, and each server control 

25 block corresponds to one of the simultaneous connections. 

18. The client computer of claim 17, wherein the inde- 
pendent control information blocks comprise file control 
blocks, linked to the server control blocks, wherein each file 
control block specifies a file accessed through one of the 

30 simultaneous connections corresponding to one of the linked 
server control blocks. 

19. The client computer of claim 16, wherein each net- 
work credential comprises a logon name and password 
supplied by one of the at least two networked services. 

35 20. The client computer of claim 1. further comprising 
means for maintaining two or more network connections 
between the client computer and the network server over 
communications facilities. 

21. A network redirector in a client computer for simul- 
40 taneously supporting two or more connections over com- 
munications facilities between the client computer and a 
network server, at least two of the connections each having 
a separate network credential and supporting at least two 
networked services, the network redirector comprising: 

45 a logon element list comprising logon elements corre- 
sponding to logged on services; and 
a mechanism for maintaining control information for each 
of the plurality of independent connections. 

22. The network redirector of claim 21, wherein the 
50 mechanism for maintaining information includes a connec- 
tion status database for storing independent control infor- 
mation blocks, the independent control information blocks 
comprising server control blocks, and each server control 
block corresponds to one of the simultaneous connections. 

55 23. The network redirector of claim 22, wherein the 
independent control information blocks comprise file con- 
trol blocks, linked to the server control blocks, wherein each 
file control block specifies a file accessed through one of the 
simultaneous connections corresponding to one of the linked 

60 server control blocks. 

24. The network redirector of claim 21, wherein each 
network credential comprises a logon name and password 
supplied by one of the at least two networked services. 

25. The network redirector of claim 21, further compris- 
65 ing means for maintaining two or more network connections 

between the client computer and the network server over 
communications facilities. 
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26. A method for mainlaining two or more network 
connections between a client computer and a network server 
over communications facilities, the client computer simul- 
taneously supporting two or more networked services and 
having a connection status database and a redirector for 5 
receiving network requests from the networked services and 
forwarding the network requests to the network server, the 
method comprising the steps of: 

establishing a first connection between the client com- 
puter and the network server in order to execute a first 1° 
network request from a process associated with a first 
networked service; 
receiving, by the redirector, a second network request 
from a process associated with a second networked 
service; 

determining that a connection does not exist correspond- 
ing to the second network request, and in response, 
adding a second coimection, without removing the first 
connection, between the client computer and the net- 
work server. 
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27. The method of claim 26, wherein the client computer, 
in association with the creation of a new connection between 
the client computer and the network server, performs the 
steps of: 

formulating a control information block associated with 
the new connection; and 

storing a unique identification for the networked service 
and a network server identification within the control 
information block in the connection status database. 

28. The method of claim 27, wherein the step of deter- 
mining that a connection does not exist corresponding to the 
second network request comprises searching the connection 
status database for an entry corresponding to the networked 
service with the associated network server as specified in the 
second network request; and 

failing to find the entry in the connection status database. 

29. The method of claim 26, further comprising assigning 
a first set of sockets for the first connection, and assigning 
a second set of sockets for the second connection. 

***** 
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